On May 10, 2021, the Tenable team informed us of a CSRF vulnerability on SecureDrop’s Journalist Interface. Details are now available on their advisories page.
An adversary could forge a malicious link that, if clicked on from within Tor Browser on the Tails OS Admin Workstation while an admin is logged into the SecureDrop Journalist Interface, would deliver a test OSSEC email to the admin's email account via the SecureDrop web application.
We consider the likelihood of exploitation of this vulnerability to be very low:
- In order to craft the exploit, the adversary would need to know the Journalist Interface’s Onion Service URL, which is a 56-character alphanumeric string that is kept secret
- The adversary would need to successfully target an administrator, who uses a dedicated Tails environment to access the Journalist Interface, segmented from their daily workstations
- The administrator would have to be logged into the Journalist Interface within Tor Browser when the exploit is triggered.
We consider the impact of this vulnerability to be low:
- A successful attack is limited to sending an encrypted test alert to the administrator’s inbox
- The adversary has no control over the contents of the message nor over the email address
- No application or email data can be accessed or modified
- This attack is easy to detect, as administrators will receive email notifications.
We have released a fix as part of SecureDrop 1.8.2, released on May 18, 2021. On May 19, 2021, the Tenable team confirmed the fix.
We are grateful to the Tenable team for their research and for responsibly disclosing their findings to us.
Researchers may submit any security vulnerability either through our bug bounty program, or via encrypted email to securedrop@freedom.press (public key, fingerprint: 734F 6E70 7434 ECA6 C007 E1AE 82BD 6C96 16DA BB79).